Compare commits

..

11 commits

Author SHA1 Message Date
Zygmunt Krynicki
149ad43c8f Merge branch 'rawhide' into epel10 2025-07-14 14:35:06 +02:00
Zygmunt Krynicki
60cf22398e Merge branch 'rawhide' into epel10 2025-03-25 14:34:52 +01:00
Zygmunt Krynicki
07a931bf19
Fix bad merge
Signed-off-by: Zygmunt Krynicki <me@zygoon.pl>
2025-01-22 13:56:24 +01:00
Zygmunt Krynicki
606c9b9b2c
Merge branch 'rawhide' into epel10 2025-01-22 13:42:50 +01:00
Zygmunt Krynicki
413593ae27
Re-cherry pick fix for SELinux timedatex problem
Signed-off-by: Zygmunt Krynicki <me@zygoon.pl>
2024-12-03 12:22:08 +01:00
Zygmunt Krynicki
0495d041f9
Bump release, add changelog
Signed-off-by: Zygmunt Krynicki <me@zygoon.pl>
2024-12-03 12:20:29 +01:00
Zygmunt Krynicki
1d9d4c5f66
Depend on xdelta only on EPEL-9 2024-12-03 12:16:56 +01:00
Zygmunt Krynicki
b27c453fb3
Merge branch 'rawhide' into epel10 2024-11-20 15:11:31 +01:00
Zygmunt Krynicki
1a0008de12
Merge remote-tracking branch 'origin/epel8' into epel10 2024-11-14 17:15:05 +01:00
Zygmunt Krynicki
14128e4ad8 Merge branch 'main' into epel9 2024-09-05 12:53:39 +02:00
Zygmunt Krynicki
2b199658c5 Update to 2.63
Small build change related to snap-seccomp, so that the progarm
continues to build on rawhide (-D_GNU_SOURCE) and another change related
to a stale removal of -Bstatic.

Signed-off-by: Zygmunt Krynicki <me@zygoon.pl>
2024-05-27 09:06:57 +02:00
3 changed files with 77 additions and 347 deletions

6
.gitignore vendored
View file

@ -1,4 +1,2 @@
/snapd_2.71.no-vendor.tar.xz
/snapd_2.71.only-vendor.tar.xz
/snapd_2.72.no-vendor.tar.xz
/snapd_2.72.only-vendor.tar.xz
/snapd_2.70.no-vendor.tar.xz
/snapd_2.70.only-vendor.tar.xz

View file

@ -52,14 +52,9 @@
%global provider_prefix %{provider}.%{provider_tld}/%{project}/%{repo}
%global import_path %{provider_prefix}
%global snappy_svcs snapd.service snapd.socket snapd.seeded.service snapd.apparmor.service snapd.mounts.target snapd.mounts-pre.target
%global snappy_svcs snapd.service snapd.socket snapd.autoimport.service snapd.seeded.service snapd.apparmor.service snapd.mounts.target snapd.mounts-pre.target
%global snappy_user_svcs snapd.session-agent.service snapd.session-agent.socket
# Note that packaging for Fedora does omit cap_setgid and cap_setuid that are
# only required to use snapd in user namespaces when the host system uses
# cgroup-v1 hierarchy. Since no actively supported Fedora release uses cgroup
# v1, those capabilities are omitted.
%global snap_confine_caps cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_sys_chroot,cap_sys_ptrace,cap_sys_admin=p
# Until we have a way to add more extldflags to gobuild macro...
# Always use external linking when building static binaries.
%if 0%{?fedora} || 0%{?rhel} >= 8
@ -88,7 +83,7 @@
%{!?_tmpfilesdir: %global _tmpfilesdir %{_prefix}/lib/tmpfiles.d}
Name: snapd
Version: 2.72
Version: 2.70
Release: 1%{?dist}
Summary: A transactional software package manager
License: GPL-3.0-only
@ -164,7 +159,6 @@ BuildRequires: golang(gopkg.in/tomb.v2)
BuildRequires: golang(gopkg.in/yaml.v2)
BuildRequires: golang(gopkg.in/yaml.v3)
%endif
BuildRequires: go-rpm-macros
%description
Snappy is a modern, cross-distribution, transactional package manager
@ -232,6 +226,7 @@ BuildArch: noarch
%endif
%if ! 0%{?with_bundled}
Requires: golang(go.etcd.io/bbolt)
Requires: golang(github.com/bmatcuk/doublestar/v4)
Requires: golang(github.com/coreos/go-systemd/activation)
Requires: golang(github.com/godbus/dbus/v5)
@ -241,12 +236,9 @@ Requires: golang(github.com/jessevdk/go-flags)
Requires: golang(github.com/juju/ratelimit)
Requires: golang(github.com/kr/pretty)
Requires: golang(github.com/kr/text)
Requires: golang(github.com/mattn/go-runewidth)
Requires: golang(github.com/mvo5/goconfigparser)
Requires: golang(github.com/rivo/uniseg)
Requires: golang(github.com/seccomp/libseccomp-golang)
Requires: golang(github.com/snapcore/go-gettext)
Requires: golang(go.etcd.io/bbolt)
Requires: golang(golang.org/x/crypto/openpgp/armor)
Requires: golang(golang.org/x/crypto/openpgp/packet)
Requires: golang(golang.org/x/crypto/sha3)
@ -263,6 +255,8 @@ Requires: golang(gopkg.in/yaml.v3)
%else
# These Provides are unversioned because the sources in
# the bundled tarball are unversioned (they go by git commit)
# *sigh*... I hate golang...
Provides: bundled(golang(go.etcd.io/bbolt))
Provides: bundled(golang(github.com/bmatcuk/doublestar/v4))
Provides: bundled(golang(github.com/coreos/go-systemd/activation))
Provides: bundled(golang(github.com/godbus/dbus/v5))
@ -272,12 +266,9 @@ Provides: bundled(golang(github.com/jessevdk/go-flags))
Provides: bundled(golang(github.com/juju/ratelimit))
Provides: bundled(golang(github.com/kr/pretty))
Provides: bundled(golang(github.com/kr/text))
Provides: bundled(golang(github.com/mattn/go-runewidth))
Provides: bundled(golang(github.com/mvo5/goconfigparser))
Provides: bundled(golang(github.com/rivo/uniseg))
Provides: bundled(golang(github.com/seccomp/libseccomp-golang))
Provides: bundled(golang(github.com/snapcore/go-gettext))
Provides: bundled(golang(go.etcd.io/bbolt))
Provides: bundled(golang(golang.org/x/crypto/openpgp/armor))
Provides: bundled(golang(golang.org/x/crypto/openpgp/packet))
Provides: bundled(golang(golang.org/x/crypto/sha3))
@ -485,7 +476,7 @@ providing packages with %{import_path} prefix.
%if ! 0%{?with_bundled}
%setup -q
# Ensure there's no bundled stuff accidentally leaking in...
rm -rf vendor c-vendor
rm -rf vendor/*
%else
# Extract each tarball properly
%setup -q -D -b 1
@ -509,95 +500,48 @@ export GOPATH=$(pwd):%{gopath}
# FIXME: move spec file really to a go.mod world instead of this hack
rm -f go.mod
export GO111MODULE=off
# Ensure we do not pass -mod=foo argument to go, as we disable modules and go
# does not allow us to do both.
sed -e 's/-mod=readonly//g' -e 's/-mod=vendor//g' <packaging/snapd.mk >packaging/snapd2.mk
# Generate version files
cat <<EOF >snapdtool/version_generated.go
package snapdtool
./mkversion.sh "%{version}-%{release}"
func init() {
Version = "%{version}-%{release}"
}
EOF
cat <<EOF >cmd/VERSION
%{version}-%{release}
EOF
cat <<EOF >data/info
VERSION=%{version}-%{release}
SNAPD_APPARMOR_REEXEC=0
SNAPD_ASSERTS_FORMATS='{"account-key":1,"snap-declaration":6,"system-user":2}'
EOF
# see https://github.com/gofed/go-macros/blob/master/rpm/macros.d/macros.go-compilers-golang
BUILDTAGS=
%if 0%{?with_test_keys}
BUILDTAGS="withtestkeys nosecboot structuredlogging"
%else
BUILDTAGS="nosecboot"
%endif
%if ! 0%{?with_bundled}
# We don't need the snapcore fork for bolt - it is just a fix on ppc
sed -e "s:github.com/snapcore/bolt:github.com/boltdb/bolt:g" -i advisor/*.go
%endif
# We have to build snapd first to prevent the build from
# building various things from the tree without additional
# set tags.
%gobuild -o bin/snapd $GOFLAGS %{import_path}/cmd/snapd
BUILDTAGS="${BUILDTAGS} nomanagers"
%gobuild -o bin/snap $GOFLAGS %{import_path}/cmd/snap
%gobuild -o bin/snap-failure $GOFLAGS %{import_path}/cmd/snap-failure
%gobuild -o bin/snapd-apparmor $GOFLAGS %{import_path}/cmd/snapd-apparmor
# To ensure things work correctly with base snaps,
# snap-exec, snap-update-ns, and snapctl need to be built statically
(
%if 0%{?rhel} >= 7
# since RH Developer tools 2018.4 (and later releases),
# the go-toolset module is built with FIPS compliance that
# defaults to using libcrypto.so which gets loaded at runtime via dlopen(),
# disable that functionality for statically built binaries
EXTRA_TAGS="${EXTRA_TAGS} no_openssl"
BUILDTAGS="${BUILDTAGS} no_openssl"
%endif
%gobuild_static -o bin/snap-exec $GOFLAGS %{import_path}/cmd/snap-exec
%gobuild_static -o bin/snap-update-ns $GOFLAGS %{import_path}/cmd/snap-update-ns
%gobuild_static -o bin/snapctl $GOFLAGS %{import_path}/cmd/snapctl
)
# Generate snapd.defines.mk, this file is included by snapd.mk. It contains a
# number of variable definitions that are set based on their RPM equivalents.
# Since we can apply any conditional overrides here in the spec file we can
# maintain one consistent set of variables across the spec and makefile worlds.
cat >snapd.defines.mk <<__DEFINES__
# This file is generated by Fedora's snapd.spec
# Directory variables.
prefix = %{_prefix}
bindir = %{_bindir}
sbindir = %{_sbindir}
libexecdir = %{_libexecdir}
mandir = %{_mandir}
datadir = %{_datadir}
localstatedir = %{_localstatedir}
sharedstatedir = %{_sharedstatedir}
unitdir = %{_unitdir}
builddir = %{_builddir}
# Build configuration
with_core_bits = 0
with_alt_snap_mount_dir = 1
with_apparmor = 1
with_testkeys = %{with_test_keys}
with_vendor = %{with_bundled}
# follow what %%gobuild does
EXTRA_GO_BUILD_FLAGS = -v -x -compiler gc
EXTRA_GO_LDFLAGS = -linkmode external -extldflags '%__global_ldflags'
EXTRA_GO_STATIC_LDFLAGS = -linkmode external -extldflags '%__global_ldflags -static'
EXTRA_GO_BUILD_TAGS = rpm_crashtraceback $EXTRA_TAGS
__DEFINES__
# Generate version files
cat <<EOF >snapdtool/version_generated.go
package snapdtool
// generated by snapd.spec; do not edit
func init() {
Version = "%{version}-%{release}"
}
EOF
cat <<EOF >cmd/VERSION
%{version}-%{release}
EOF
# FIXME: We paste a fixed string but we should run some go code to generate the
# real value. We don't want to do that as that code needs to use host's
# libraries without talking to the proxy.
cat <<EOF >data/info
SNAPD_APPARMOR_REEXEC=0
SNAPD_ASSERTS_FORMATS='{"account-key":1,"snap-declaration":6,"system-user":2}'
EOF
%gobuild -o bin/snap-seccomp $GOFLAGS %{import_path}/cmd/snap-seccomp
(
%if 0%{?rhel} == 7
@ -633,11 +577,6 @@ autoreconf --force --install --verbose
%make_build %{!?with_valgrind:HAVE_VALGRIND=}
popd
# Build snap, snapd and other tools
%make_build -f packaging/snapd2.mk \
SNAPD_DEFINES_DIR=$PWD \
all
# Build systemd units, dbus services, and env files
pushd ./data
make BINDIR="%{_bindir}" LIBEXECDIR="%{_libexecdir}" DATADIR="%{_datadir}" \
@ -682,10 +621,25 @@ install -d -p %{buildroot}%{_datadir}/polkit-1/actions
install -d -p %{buildroot}%{_datadir}/selinux/devel/include/contrib
install -d -p %{buildroot}%{_datadir}/selinux/packages
# Install snap and snapd
install -p -m 0755 bin/snap %{buildroot}%{_bindir}
install -p -m 0755 bin/snap-exec %{buildroot}%{_libexecdir}/snapd
install -p -m 0755 bin/snap-failure %{buildroot}%{_libexecdir}/snapd
install -p -m 0755 bin/snapd %{buildroot}%{_libexecdir}/snapd
install -p -m 0755 bin/snap-update-ns %{buildroot}%{_libexecdir}/snapd
install -p -m 0755 bin/snap-seccomp %{buildroot}%{_libexecdir}/snapd
install -p -m 0755 bin/snapd-apparmor %{buildroot}%{_libexecdir}/snapd
# Ensure /usr/bin/snapctl is a symlink to /usr/libexec/snapd/snapctl
install -p -m 0755 bin/snapctl %{buildroot}%{_libexecdir}/snapd/snapctl
ln -sf %{_libexecdir}/snapd/snapctl %{buildroot}%{_bindir}/snapctl
# Install SELinux module
install -p -m 0644 data/selinux/snappy.if %{buildroot}%{_datadir}/selinux/devel/include/contrib
install -p -m 0644 data/selinux/snappy.pp.bz2 %{buildroot}%{_datadir}/selinux/packages
# Install snap(8) man page
bin/snap help --man > %{buildroot}%{_mandir}/man8/snap.8
# Install the "info" data file with snapd version
install -m 644 -D data/info %{buildroot}%{_libexecdir}/snapd/info
@ -715,12 +669,6 @@ pushd ./data
SNAPD_ENVIRONMENT_FILE="%{_sysconfdir}/sysconfig/snapd"
popd
# Install snap, snapd and tools
# auto-remove unnecessary files and service units
%make_install -f packaging/snapd2.mk \
SNAPD_DEFINES_DIR=$PWD \
install
%if 0%{?rhel} == 7
# Install kernel tweaks
# See: https://access.redhat.com/articles/3128691
@ -728,7 +676,14 @@ install -m 644 -D data/sysctl/rhel7-snap.conf %{buildroot}%{_sysctldir}/99-snap.
%endif
# Remove snappy core specific units
rm -fv %{buildroot}%{_unitdir}/snapd.failure.service
rm -fv %{buildroot}%{_unitdir}/snapd.system-shutdown.service
rm -fv %{buildroot}%{_unitdir}/snapd.snap-repair.*
rm -fv %{buildroot}%{_unitdir}/snapd.core-fixup.*
rm -fv %{buildroot}%{_unitdir}/snapd.recovery-chooser-trigger.service
# Remove snappy core specific scripts and binaries
rm %{buildroot}%{_libexecdir}/snapd/snapd.core-fixup.sh
rm %{buildroot}%{_libexecdir}/snapd/system-shutdown
# Remove gpio-chardev ordering target
rm -f %{buildroot}%{_unitdir}/snapd.gpio-chardev-setup.target
@ -782,14 +737,19 @@ sort -u -o devel.file-list devel.file-list
%check
for binary in snap-exec snap-update-ns snapctl; do
ldd %{_builddir}/$binary 2>&1 | grep 'not a dynamic executable'
ldd bin/$binary 2>&1 | grep 'not a dynamic executable'
done
# snapd tests
%if 0%{?with_check} && 0%{?with_unit_test} && 0%{?with_devel}
%make_build -f packaging/snapd2.mk \
SNAPD_DEFINES_DIR=$PWD \
check
%if ! 0%{?with_bundled}
export GOPATH=%{buildroot}/%{gopath}:%{gopath}
%else
export GOPATH=%{buildroot}/%{gopath}:$(pwd)/Godeps/_workspace:%{gopath}
%endif
# FIXME: we are in the go.mod world now but without this things fall apart
export GO111MODULE=off
%gotest %{import_path}/...
%endif
# snap-confine tests (these always run!)
@ -812,6 +772,7 @@ make -C data -k check
%{_libexecdir}/snapd/snapctl
%{_libexecdir}/snapd/snapd
%{_libexecdir}/snapd/snap-exec
%{_libexecdir}/snapd/snap-failure
%{_libexecdir}/snapd/info
%{_libexecdir}/snapd/snap-mgmt
%{_libexecdir}/snapd/snapd-apparmor
@ -828,6 +789,8 @@ make -C data -k check
%{_systemd_system_env_generator_dir}/snapd-env-generator
%{_unitdir}/snapd.socket
%{_unitdir}/snapd.service
%{_unitdir}/snapd.autoimport.service
%{_unitdir}/snapd.failure.service
%{_unitdir}/snapd.seeded.service
%{_unitdir}/snapd.apparmor.service
%{_unitdir}/snapd.mounts.target
@ -866,19 +829,13 @@ make -C data -k check
%dir %{_sharedstatedir}/snapd/mount
%dir %{_sharedstatedir}/snapd/seccomp
%dir %{_sharedstatedir}/snapd/seccomp/bpf
%ghost %{_sharedstatedir}/snapd/seccomp/bpf/global.bin
%dir %{_sharedstatedir}/snapd/snaps
%dir %{_sharedstatedir}/snapd/snap
%ghost %dir %{_sharedstatedir}/snapd/snap/bin
%ghost %{_sharedstatedir}/snapd/state.json
%ghost %{_sharedstatedir}/snapd/system-key
%ghost %{_sharedstatedir}/snapd/snap/bin
%ghost %{_sharedstatedir}/snapd/snap/README
%dir %{_localstatedir}/cache/snapd
%ghost %{_localstatedir}/cache/snapd/commands
%ghost %{_localstatedir}/cache/snapd/names
%ghost %{_localstatedir}/cache/snapd/sections
%dir %{_localstatedir}/snap
%ghost %{_sharedstatedir}/snapd/state.json
%ghost %{_sharedstatedir}/snapd/snap/README
# this is typically owned by zsh, but we do not want to explicitly require zsh
%dir %{_datadir}/zsh
%dir %{_datadir}/zsh/site-functions
@ -889,9 +846,8 @@ make -C data -k check
%doc cmd/snap-confine/PORTING
%license COPYING
%dir %{_libexecdir}/snapd
%caps(%{snap_confine_caps}) %{_libexecdir}/snapd/snap-confine
%caps(cap_dac_override,cap_dac_read_search,cap_sys_admin,cap_sys_chroot,cap_chown,cap_fowner,cap_sys_ptrace=p) %{_libexecdir}/snapd/snap-confine
%{_libexecdir}/snapd/snap-confine.caps
%{_libexecdir}/snapd/snap-confine.v2-only.caps
%{_libexecdir}/snapd/snap-device-helper
%{_libexecdir}/snapd/snap-discard-ns
%{_libexecdir}/snapd/snap-gdb-shim
@ -991,233 +947,6 @@ if [ $1 -eq 0 ]; then
fi
%changelog
* Thu Nov 13 2025 Ernest Lotter <ernest.lotter@canonical.com>
- New upstream release 2.72
- FDE: support replacing TPM protected keys at runtime via the
/v2/system-volumes endpoint
- FDE: support secboot preinstall check fix actions for 25.10+
hybrid installs via the /v2/system/{label} endpoint
- FDE: tweak polkit message to remove jargon
- FDE: ensure proper sealing with kernel command line defaults
- FDE: provide generic reseal function
- FDE: support using OPTEE for protecting keys, as an alternative to
existing fde-setup hooks (Ubuntu Core only)
- Confdb: 'snapctl get --view' supports passing default values
- Confdb: content sub-rules in confdb-schemas inherit their parent
rule's "access"
- Confdb: make confdb error kinds used in API more generic
- Confdb: fully support lists and indexed paths (including unset)
- Prompting: add notice backend for prompting types (unused for now)
- Prompting: include request cgroup in prompt
- Prompting: handle unsupported xattrs
- Prompting: add permission mapping for the camera interface
- Notices: read notices from state without state lock
- Notices: add methods to get notice fields and create, reoccur, and
deepcopy notice
- Notices: add notice manager to coordinate separate notice backends
- Notices: support draining notices from state when notice backend
registered as producer of a particular notice type
- Notices: query notice manager from daemon instead of querying
state for notices directly
- Packaging: Ubuntu | ignore .git directory
- Packaging: FIPS | bump deb Go FIPS to 1.23
- Packaging: snap | bump FIPS toolchain to 1.23
- Packaging: debian | sync most upstream changes
- Packaging: debian-sid | depends on libcap2-bin for postint
- Packaging: Fedora | drop fakeroot
- Packaging: snap | modify snapd.mk to pass build tags when running
unit tests
- Packaging: snap | modify snapd.mk to pass nooptee build tag
- Packaging: modify Makefile.am to fix snap-confine install profile
with 'make hack'
- Packaging: modify Makefile.am to fix out-of-tree use of 'make
hack'
- LP: #2122054 Snap installation: skip snap icon download when
running in a cloud or using a proxy store
- Snap installation: add timeout to http client when downloading
snap icon
- Snap installation: use http(s) proxy for icon downloads
- LP: #2117558 snap-confine: fix error message with /root/snap not
accessible
- snap-confine: fix non-suid limitation by switching to root:root to
operate v1 freezer
- core-initrd: do not use writable-paths when not available
- core-initrd: remove debian folder
- LP: #1916244 Interfaces: gpio-chardev | re-enable the gpio-chardev
interface now with the more robust gpio-aggregator configfs kernel
interface
- Interfaces: gpio-chardev | exclusive snap connections, raise a
conflict when both gpio-chardev and gpio are connected
- Interfaces: gpio-chardev | fix gpio-aggregator module load order
- Interfaces: ros-snapd-support | grant access to /v2/changes
- Interfaces: uda-driver-libs, egl-driver-libs, gbm-driver-libs,
opengl-driver-libs, opengles-driver-libs | new interfaces to
support nvidia driver components
- Interfaces: microstack-support | allow DPDK (hugepage related
permissions)
- Interfaces: system-observe | allow reading additional files in
/proc, needed by node-exporter
- Interfaces: u2f | add Cano Key, Thesis FIDO2 BioFP+ Security Key
and Kensington VeriMark DT Fingerprint Key to device list
- Interfaces: snap-interfaces-requests-control | allow shell API
control
- Interfaces: fwupd | allow access to Intel CVS sysfs
- Interfaces: hardware-observe | allow read access to Kernel
Samepage Merging (KSM)
- Interfaces: xilinx-dma | support Multi Queue DMA (QDMA) IP
- Interfaces: spi | relax sysfs permission rules to allow access to
SPI device node attributes
- Interfaces: content | introduce compatibility label
- LP: #2121238 Interfaces: do not expose Kerberos tickets for
classic snaps
- Interfaces: ssh-public-keys | allow ro access to public host keys
with ssh-key
- Interfaces: Modify AppArmor template to allow listing systemd
credentials and invoking systemd-creds
- Interfaces: modify AppArmor template with workarounds for Go 1.35
cgroup aware GOMAXPROCS
- Interfaces: modify seccomp template to allow landlock_*
- Prevent snap hooks from running while relevant snaps are unlinked
- Make refreshes wait before unlinking snaps if running hooks can be
affected
- Fix systemd unit generation by moving "WantedBy=" from section
"unit" to "install"
- Add opt-in logging support for snap-update-ns
- Unhide 'snap help' sign and export-key under Development category
- LP: #2117121 Cleanly support socket activation for classic snap
- Add architecture to 'snap version' output
- Add 'snap debug api' option to disable authentication through
auth.json
- Show grade in notes for 'snap info --verbose'
- Fix preseeding failure due to scan-disk issue on RPi
- Support 'snap debug api' queries to user session agents
- LP: #2112626 Improve progress reporting for snap install/refresh
- Drop legacy BAMF_DESKTOP_FILE_HINT in desktop files
- Fix /v2/apps error for root user when user services are present
- LP: #2114704 Extend output to indicate when snap data snapshot was
created during remove
- Improve how we handle emmc volumes
- Improve handling of system-user extra assertions
* Fri Oct 10 2025 Alejandro Sáez <asm@redhat.com> - 2.71-1
- rebuild
* Fri Aug 22 2025 Ernest Lotter <ernest.lotter@canonical.com>
- New upstream release 2.71
- FDE: auto-repair when recovery key is used
- FDE: revoke keys on shim update
- FDE: revoke old TPM keys when dbx has been updated
- FDE: do not reseal FDE hook keys every time
- FDE: store keys in the kernel keyring when installing from initrd
- FDE: allow disabled DMA on Core
- FDE: snap-bootstrap: do not check for partition in scan-disk on
CVM
- FDE: support secboot preinstall check for 25.10+ hybrid installs
via the /v2/system/{label} endpoint
- FDE: support generating recovery key at install time via the
/v2/systems/{label} endpoint
- FDE: update passphrase quality check at install time via the
/v2/systems/{label} endpoint
- FDE: support replacing recovery key at runtime via the new
/v2/system-volumes endpoint
- FDE: support checking recovery keys at runtime via the /v2/system-
volumes endpoint
- FDE: support enumerating keyslots at runtime via the /v2/system-
volumes endpoint
- FDE: support changing passphrase at runtime via the /v2/system-
volumes endpoint
- FDE: support passphrase quality check at runtime via the
/v2/system-volumes endpoint
- FDE: update secboot to revision 3e181c8edf0f
- Confdb: support lists and indexed paths on read and write
- Confdb: alias references must be wrapped in brackets
- Confdb: support indexed paths in confdb-schema assertion
- Confdb: make API errors consistent with options
- Confdb: fetch confdb-schema assertion on access
- Confdb: prevent --previous from being used in read-side hooks
- Components: fix snap command with multiple components
- Components: set revision of seed components to x1
- Components: unmount extra kernel-modules components mounts
- AppArmor Prompting: add lifespan "session" for prompting rules
- AppArmor Prompting: support restoring prompts after snapd restart
- AppArmor Prompting: limit the extra information included in probed
AppArmor features and system key
- Notices: refactor notice state internals
- SELinux: look for restorecon/matchpathcon at all known locations
rather than current PATH
- SELinux: update policy to allow watching cgroups (for RAA), and
talking to user session agents (service mgmt/refresh)
- Refresh App Awareness: Fix unexpected inotify file descriptor
cleanup
- snap-confine: workaround for glibc fchmodat() fallback and handle
ENOSYS
- snap-confine: add support for host policy for limiting users able
to run snaps
- LP: #2114923 Reject system key mismatch advise when not yet seeded
- Use separate lanes for essential and non-essential snaps during
seeding and allow non-essential installs to retry
- Fix bug preventing remodel from core18 to core18 when snapd snap
is unchanged
- LP: #2112551 Make removal of last active revision of a snap equal
to snap remove
- LP: #2114779 Allow non-gpt in fallback mode to support RPi
- Switch from using systemd LogNamespace to manually controlled
journal quotas
- Change snap command trace logging to only log the command names
- Grant desktop-launch access to /v2/snaps
- Update code for creating the snap journal stream
- Switch from using core to snapd snap for snap debug connectivity
- LP: #2112544 Fix offline remodel case where we switched to a
channel without an actual refresh
- LP: #2112332 Exclude snap/snapd/preseeding when generating preseed
tarball
- LP: #1952500 Fix snap command progress reporting
- LP: #1849346 Interfaces: kerberos-tickets | add new interface
- Interfaces: u2f | add support for Thetis Pro
- Interfaces: u2f | add OneSpan device and fix older device
- Interfaces: pipewire, audio-playback | support pipewire as system
daemon
- Interfaces: gpg-keys | allow access to GPG agent sockets
- Interfaces: usb-gadget | add new interface
- Interfaces: snap-fde-control, firmware-updater-support | add new
interfaces to support FDE
- Interfaces: timezone-control | extend to support timedatectl
varlink
- Interfaces: cpu-control | fix rules for accessing IRQ sysfs and
procfs directories
- Interfaces: microstack-support | allow SR-IOV attachments
- Interfaces: modify AppArmor template to allow snaps to read their
own systemd credentials
- Interfaces: posix-mq | allow stat on /dev/mqueue
- LP: #2098780 Interfaces: log-observe | add capability
dac_read_search
- Interfaces: block-devices | allow access to ZFS pools and datasets
- LP: #2033883 Interfaces: block-devices | opt-in access to
individual partitions
- Interfaces: accel | add new interface to support accel kernel
subsystem
- Interfaces: shutdown | allow client to bind on its side of dbus
socket
- Interfaces: modify seccomp template to allow pwritev2
- Interfaces: modify AppArmor template to allow reading
/proc/sys/fs/nr_open
- Packaging: drop snap.failure service for openSUSE
- Packaging: add SELinux support for openSUSE
- Packaging: disable optee when using nooptee build tag
- Packaging: add support for static PIE builds in snapd.mk, drop
pie.patch from openSUSE
- Packaging: add libcap2-bin runtime dependency for ubuntu-16.04
- Packaging: use snapd.mk for packaging on Fedora
- Packaging: exclude .git directory
- Packaging: fix DPKG_PARSECHANGELOG assignment
- Packaging: fix building on Fedora with dpkg installed
* Fri Aug 15 2025 Maxwell G <maxwell@gtmx.me> - 2.70-3
- Rebuild for golang-1.25.0
* Fri Jul 25 2025 Fedora Release Engineering <releng@fedoraproject.org> - 2.70-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
* Tue Jun 03 2025 Ernest Lotter <ernest.lotter@canonical.com>
- New upstream release 2.70
- FDE: Fix reseal with v1 hook key format
@ -1639,6 +1368,9 @@ fi
* Tue Dec 03 2024 Orion Poplawski <orion@nwra.com>
- Drop RestartMode from snapd.service on EL8 (rhbz#2315759)
* Tue Dec 3 2024 Zygmunt Krynicki <me@zygoon.pl>
- Constrain dependency on xdelta to EPEL-9
* Fri Nov 29 2024 Zygmunt Krynicki <me@zygoon.pl>
- Re-cherry pick fix for SELinux timedatex problem from upstream
as it was not released in 2.66.1, sorry.

View file

@ -1,2 +1,2 @@
SHA512 (snapd_2.72.no-vendor.tar.xz) = fb556bdb60877a2536cd8e53a7e137935ba27afb5b04efff06d8f858c47cec82a8f1df01fb621f644f0c2abe056a2b0612fabd70ae2d909b2e960692763b8bff
SHA512 (snapd_2.72.only-vendor.tar.xz) = f80b5def82553c044027fbb208fc5d5f76633afe71a8210abc33b48b189fd9347fd1d04bc868c58dc5d0b7fe8c68f6e316edbb6d2a2e060f375a5cdc851c2278
SHA512 (snapd_2.70.no-vendor.tar.xz) = f4864658793d2f6e11823b604c85cadc204a231e7efc5d9302d395c6afc7b500f389317cd3066a39a1d9f138aef5c8a0c2eff07dfb1c5b4473dfa5b489356689
SHA512 (snapd_2.70.only-vendor.tar.xz) = b6e0309bc56a1573a3edea2e35b3feb313f8220633a64f11f6d0a5b155d39b1b3a2b058edc2d01aca0bf04f4515a17f9011cb49b5c7aa96a5a4610d0032cddcb